--66% of UK companies
have too few cybersecurity personnel; yet only 12% of UK cybersecurity
workforce is under 35

--SMEs are hit
particularly hard as just 23% of UK cyber professionals work for companies with
fewer than 500 employees

London, 14th February
2017
– The largest ever survey of over 19,000 cybersecurity professionals, by the Center for Cyber Safety and Education™ (the
Center) — part of its eighth Global Information Security Workforce Study
(GISWS) sponsored bynonprofit professionals’
association (ISC)²®, has revealed that the
world will face a shortfall of 1.8 million cybersecurity workers by 2022. This
is an increase of 20% on the five-year projection made in 2015 by its bi-annual
Global Information Security Workforce Study. In the wake of the UK Government Cybersecurity
Strategy describing Britain’s cybersecurity skills gap as a “national vulnerability that must
be resolved”
the findings show that 66% of UK companies do not have enough info security personnel
to meet their security needs, and it is impacting economic security.

The
Center’s Global Information Security Workforce Study has surveyed the
cybersecurity workforce since 2004, providing the most comprehensive report on
the industry for over a decade. Its 2017 edition included responses from over
1,000 top UK cybersecurity professionals across banks, multinationals and Government
bodies. The first release of the data has revealed that the primary reason for
the skills gap is that organisations are struggling to find qualified personnel,
with 47% of respondents citing this as an issue.

The
findings indicate the skills deficit is already impacting British businesses,
with 46% of UK companies reporting that the shortfall of cybersecurity
personnel is having significant impact on their customers and a similar
proportion warning that it is causing cybersecurity breaches. Forty-six percent
of UK organisations expect to expand their cybersecurity workforce by more than
16% in the next 12 months, yet the shortage is holding them back.

The
data also suggests that the skills shortfall means that many UK businesses are
ill-prepared for the EU General Data Protection Regulation (GDPR), which will
impose a mandatory 48-hour window for disclosing data breaches in May 2018. Twenty-two
percent of UK respondents currently predict their companies would take over
eight days to repair the damage if their systems or data were compromised by
hackers, far longer than the legally required window for publicly reporting
breaches.

In
the UK, companies are failing to hire millennials, with only 6% of UK
respondents stating that they will recruit from university graduates. The data also
indicates that currently only 12% of the cyber security workforce is under age 35,
demonstrating the dwindling pipeline of talent entering the industry at a
younger age. Furthermore, 53% of the workforce are over age 45, suggesting that
the UK is approaching a skill ‘cliff edge’ as the majority gets closer to
retirement.

The data also indicates that employers are closing the door
to many of the millennial generation, refusing to hire and train inexperienced
recruits. Only 10% of UK respondents say that the most demand for new hires is
at entry level, and 93% say previous cybersecurity experience is an important
factor in their hiring decisions.

The failure to diversify could become a vicious circle
deterring younger generations from pursuing cybersecurity professions, with
research demonstrating that millennials are far more diverse than previous
generations and more likely to be attracted to workplaces that represent the
demographic.

Rising wages

The
findings exposed evidence that SMEs could be suffering from being priced out of
the cybersecurity talent market. Just 23% of respondents work for UK SMEs and a
staggering 61% of the UK cybersecurity workforce is concentrated in major
organisations with over 2,500 employees.

The
data shows almost three quarters of UK security professionals earn over £47,000
a year and 39% command annual salaries of over £87,000. This demonstrates that the
skills shortage is inflating salaries as more businesses compete for scarce
talented resource.

Snapshot
of key findings include:

--There
will be a global shortfall of cybersecurity workers of 1.8 million by 2022; an
increase of 20% from 2015’s GISWS report (1.5 million by 2020)

--47%
of UK respondents said that the main reason for the skills shortage is that it
is difficult to find the qualified personnel they require

--Only
12% of the UK workforce is under 35 years’ old

--Only
6% of UK respondents said their organisations recruit from among university
graduates

--71%
of respondents say that the biggest demand is non-managerial staff. Only 10% of
UK respondents say that the most demand for new hires is at entry-level

--46%
of UK respondents said that their organisation’s shortage of security workers
is having an impact on customers (respondents who answered 4 and 5 on a scale
of 1-5)

--45%
of UK respondents said that their organisation’s shortage of security workers is
having an impact on security breaches (respondents who answered 4 and 5 on a
scale of 1-5)

--Over
a fifth of UK respondents (22%) said their organisations would take eight or
more days to remediate the damage if their systems or data were compromised by
hackers, with 5% predicting that they would take six weeks or more.

--74%
of UK security professionals earn over £47,000 a year and 39% command annual
salaries of over £87,000.

Industry reaction:

Dr. Adrian
Davis, Managing Director, EMEA at (ISC)², said: “A
continuing industry refusal to hire people without previous experience, and a
failure to hire university graduates means Britain is approaching a security skills ‘cliff edge’ due to the perfect
storm of an ageing cyber workforce going into retirement and long-term failure
to recruit from the younger generation. We need to see more emphasis on recruiting millennials
and on training talent in-house rather than companies expecting to buy it
off-the-shelf. There is a need to nurture the talent that is already in this
country and recruit from the fresh pool of talent that is graduating from
university.”

Angela Messer, a Booz Allen executive vice president, and the firm’s Cyber innovation business leader and Cyber talent development champion: “Millennials will and in many cases are already critical players who enable the success of our collective cyber defence. To attract, retain and empower these millennials, it’s clear from the Global Information Security Workforce Study that our industry must be innovative not only in its tradecraft, but also in how we support this next generation of information security professionals. At Booz Allen, we provide opportunities for skills development by offering traditional training and covering certification or advanced degree program fees, as well as non-traditional learning opportunities, such as our Kaizen capture the flag platform and hacker space labs.”

Lucy
Chaplin, Manager at KPMG's Financial Services Technology Risk Consulting,
said: “Industry is experiencing a talent shortfall because employers are too
focused on recruiting people with existing cybersecurity experience, which is
like complaining that there’s a shortage of pilots but refusing to hire anyone
who is not already an experienced pilot. We find that hiring and training inexperienced
people pays off in better retention rates and a more diverse workforce. We
recruit for attributes, such as analytical skills, rather than experience, and
almost 50% of our new graduate hires are women, most of them with no previous industry
experience.”

Rob
Partridge, Head of BT Security Academy: “The findings confirm that
graduates are being overlooked for cybersecurity roles and it is now an
economic and security imperative that we change this trend. Industry needs to
recruit more young people in general by offering more graduate jobs and in-work
training. BT is committed to giving young people the chance and will be
recruiting graduates and degree apprentices once again this year, in addition
to the 170 we announced last year. Universities also need to place more of an
emphasis on teaching cyber in their degree courses to prepare students for work
in the connected economy.”

Richard Horne, cyber security partner at PwC said: "Supporting and developing the next generation of cyber security talent is essential to the future of the industry. At PwC, we are on track to recruit more than 1,000 technology specialists over the next four years at both graduate and experienced levels. Cyber security hires will be a significant part of this and this year we're increasing the number of graduates we're recruiting to meet increasing client demand.

"We believe it's important to help our graduates experience the many different paths a career in this field could follow by offering a rotation programme around our teams, ranging from threat intelligence and incident detection and response to security transformation programmes and legal and regulatory compliance. Cyber security roles can often be seen as purely technical but today's well-rounded cyber security expert has a diverse skillset, with not only technical knowledge but also wider business skills like creativity, organisation, relationship-building and communication."

About the Center for Cyber Safety
and Education’s Global Information Workforce Study

The
first release of data from the Global Information Workforce Study, the Millennials – the Next Generation
of Information Security Workers report was sponsored by Booz Allen
Hamilton, and is the first of a series to be released by (ISC)² in 2017 as part
the new format for the bi-annual Global Information Security Workforce Study.
Several reports will be released throughout the year with new, previously
unpublished information and insights about the global information security
workforce. The next report will focus on women in cybersecurity, which will be
released in early March.

About the
Center for Cyber Safety and Education

The Center for Cyber Safety and Education (Center), formerly (ISC)²
Foundation, is a nonprofit charitable trust committed to making the cyber world
a safer place for everyone. The Center works to ensure that people across the
globe have a positive and safe experience online through their educational
programs, scholarships and research. Visit www.iamcybersafe.org.

About
(ISC)²®

(ISC)² is an international nonprofit membership association focused on
inspiring a safe and secure cyber world. Best known for the acclaimed Certified
Information Systems Security Professional (CISSP®) certification,
(ISC)² offers a portfolio of credentials that are part of a holistic,
programmatic approach to security. Our membership, over 120,000 strong, is made
up of certified cyber, information, software and infrastructure security
professionals who are making a difference and helping to advance the industry.
Our vision is supported by our commitment to educate and reach the public
through our charitable foundation –The Center for Cyber Safety and EducationTM. Visitwww.isc2.org.

Booz Allen Hamilton (NYSE: BAH) has been at the forefront of strategy
and technology for more than 100 years. Today, the firm provides management and
technology consulting and engineering services to leading Fortune 500
corporations, governments, and not-for-profits across the globe. Booz Allen
partners with public and private sector clients to solve their most difficult challenges
through a combination of consulting, analytics, mission operations, technology,
systems delivery, cybersecurity, engineering, and innovation expertise.

With international headquarters in McLean, Virginia,
the firm employs more than 23,000 people globally, and had revenue of $5.41
billion for the 12 months ended March 31, 2016. To learn more, visit BoozAllen.com.

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.